We're having trouble with PacketFence throwing violations on P2P activity.
It doesn't seem to be detecting it. Back when we were running PacketFence
3.x it was working, but we've recently come to realize that on our
PacketFence 5.2 system, it is not catching it. We've recently come to
suspect our students are successfully using bittorrent programs, so I did a
quick download of Vuze, and torrented a copy of Linux without any issue to
confirm PacketFence/Snort isn't catching it.
We are running our system as Inline right now with all of our internal
interfaces marked as "monitor" as well. We do get the occasional "Rogue
DHCP" alert, so we know Snort is doing *something*... But I don't see any
log files that mention any of torrent activity.
We've also tried explicitly adding all of the SIDs listed in the
emerging-p2p.rules file. Here's our violation.conf file below. Would
anything else be helpful?
# Most of the snort rules are from Emerging Threats (
http://www.emergingthreats.net/)
#
# In order to use different rulesets, please point the variable snort_rules,
# defined below (in [defaults]), to your local file(s).
#
[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enabled=N
grace=120m
window=0
delay_by=0s
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node with a
violation will be put in.
# Accepted values are the vlan names: isolation, normal, registration,
macDetection, inline, voice
# and all the roles names you defined in the node_category table. (see
switches.conf)
vlan=isolation
# if you add a role/category here, nodes in these roles/categories will be
immune to the violation
whitelisted_categories=
template=generic
[1100001]
desc=Nessus Scan
# On a Scan violation priority must be higher (lower number) than the
special system scan violation (1200001)
priority=4
template=failed_scan
max_enable=4
button_text=Scan my computer again
trigger=Nessus::10861,Nessus::10943,Nessus::11177,Nessus::11231,Nessus::11302,Nessus::11304,Nessus::11528,Nessus::11595,Nessus::11664,Nessus::11787,Nessus::11790,Nessus::11803,Nessus::11808,Nessus::11835,Nessus::11878,Nessus::11886,Nessus::11887,Nessus::11921,Nessus::12051,Nessus::12052,Nessus::12054,Nessus::12092,Nessus::12208,Nessus::12209,Nessus::13641,Nessus::13852,Nessus::14724,Nessus::15460,Nessus::15894,Nessus::15970,Nessus::16324,Nessus::16326,Nessus::16327,Nessus::16328,Nessus::16329,Nessus::18020,Nessus::18021,Nessus::18023,Nessus::18025,Nessus::18027,Nessus::18028,Nessus::18215,Nessus::18482,Nessus::18483,Nessus::18490,Nessus::18502,Nessus::18681,Nessus::18682,Nessus::19401,Nessus::19402,Nessus::19406,Nessus::19408,Nessus::20005,Nessus::20172,Nessus::20299,Nessus::20368,Nessus::20382,Nessus::20389,Nessus::20390,Nessus::20904,Nessus::20905,Nessus::21213,Nessus::21332,Nessus::21685,Nessus::21687,Nessus::22030,Nessus::22034,Nessus::22183,Nessus::22184,Nessus::22185,Nessus::22186,Nessus::22187,Nessus::22192,Nessus::22194,Nessus::22332,Nessus::22449,Nessus::22530,Nessus::23644,Nessus::23646,Nessus::23647,Nessus::23833,Nessus::23835,Nessus::23837,Nessus::23838,Nessus::23999,Nessus::24000
actions=trap,email,log
enabled=Y
# for faster remediation, it is recommended to leave an offending client in
the registration vlan (where it is scanned)
vlan=registration
[1100002]
desc=OpenVAS scan
# On a scan violation priority must be higher (lower number) than the
special system scan violation (1200001)
priority=4
template=failed_scan
max_enable=4
button_text=Scan my computer again
trigger=OpenVAS::1.3.6.1.4.1.25623.1.0.90023,OpenVAS::1.3.6.1.4.1.25623.1.0.14259,OpenVAS::1.3.6.1.4.1.25623.1.0.800618,OpenVAS::1.3.6.1.4.1.25623.1.0.90011
actions=trap,email,log
enabled=Y
# for faster remediation, it is recommended to leave an offending client in
the registration vlan (where it is scanned)
vlan=registration
#
# Example config to block a whole class of devices based on their MAC
address vendor
# Trigger format: The number is the ID of the MAC vendor from the 'MAC
Vendor' list in Fingerbank (either 'upstream' or 'local' or both)
#
# The below example blocks MAC Vendor ID 42 which is 'IMC Networks corp.'
#
[1100003]
desc=MAC Vendor isolation example
template=banned_devices
trigger=MAC_VENDOR::42
actions=trap,email,log
enabled=N
#
# Example config to block a device based on it's type or class
# Trigger format: The number is the ID of the device (type or class or
both) from the 'Device' list in Fingerbank (either 'upstream' or 'local' or
both)
#
# The below example blocks Windows 95, 98, 98SE, NT4 and ME.
#
[1100004]
desc=Ancient OS isolation example
template=banned_os
trigger=DEVICE::28,DEVICE::29,DEVICE::30,DEVICE::31,DEVICE::32
actions=trap,email,log
enabled=N
#
# Example config to block a specific Browser User Agent
# Trigger format: The number is the ID of the user-agent from the 'User
Agent' list in Fingerbank (either 'upstream' or 'local' or both)
#
# The below example blocks user-agents IDs 101 and 102.
#
[1100005]
desc=Browser isolation example
template=banned_devices
trigger=USER_AGENT::101,USER_AGENT::102
actions=trap,email,log
enabled=N
[1100006]
desc=P2P Isolation (snort example)
template=p2p
trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::2000369,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761,Detect::2001796,Detect::2001812
actions=trap,email,log
enabled=N
[1100007]
desc=Auto-register Device example
priority=1
trigger=DEVICE::10,DEVICE::12,DEVICE::13,DEVICE::3,DEVICE::6,DEVICE::7,DEVICE::8
actions=autoreg,log
enabled=N
template=failed_scan
auto_enable=N
whitelisted_categories=
[1100008]
desc=Disable NATing Routers and APs
template=nat
trigger=Detect::1100005,Detect::1100006,Detect::1100007,DEVICE::4
actions=trap,email,log
enabled=N
#
# Example config to be alerted of the presence of one specific MAC address
in the network.
# Useful for stolen devices if you happen to know the MAC of a stolen
device.
# Trigger format: The number is a decimal representation of the MAC.
# To generate such a representation you can use perl -e 'print
hex("f04da2cbd9c5"),"\n";'. Ignore the warning.
#
[1100009]
desc=MAC isolation example
template=banned_devices
trigger=MAC::264216234416581
actions=email,log
enabled=N
[1100010]
desc=Rogue DHCP
template=roguedhcp
trigger=internal::1100010
actions=email,log
enabled=Y
[1100011]
desc=Bandwidth Limit example (20GB/month)
template=bandwidth_limit
trigger=Accounting::TOT20GBM
grace=0
window=dynamic
[1100020]
desc=Wireless IPS
trigger=internal::1100020
actions=email,log
enabled=Y
#
# 1200000 - 120099 Reserved for required administration violations
#
[1200001]
priority=9
desc=System Scan
# someone should always be able to try to scan its system again
max_enable=0
grace=1s
template=system_scan
actions=trap,log
button_text=Scan
enabled=Y
auto_enable=Y
# Scan is taking place in the registration vlan don't change this value.
vlan=registration
[1200002]
priority=9
desc=Time Expiration
max_enable=1
grace=0
template=time_expiration
trigger=Accounting::TimeExpired
actions=trap,log
enabled=Y
auto_enable=N
vlan=registration
[1200003]
priority=9
desc=Bandwidth Limit
max_enable=1
grace=0
template=bandwidth_expiration
trigger=Accounting::BandwidthExpired
actions=trap,log
enabled=Y
auto_enable=N
vlan=registration
[1200004]
priority=9
desc=Post Reg System Scan
# someone should always be able to try to scan its system again
max_enable=0
grace=1h
actions=log
enabled=Y
auto_enable=Y
[1200005]
priority=9
desc=Pre Reg System Scan
# someone should always be able to try to scan its system again
max_enable=0
grace=1h
actions=log
enabled=Y
auto_enable=Y
vlan=registration
#
# 1300000 - 1399999 Reserved for PacketFence violations
#
[1300000]
desc=Generic
priority=8
actions=trap,log
template=generic
enabled=Y
[1300001]
desc=Spam
priority=6
actions=trap,log
template=spam
enabled=Y
[1300002]
desc=Provisioning Enforcement
priority=6
actions=enforce_provisioning,log
template=enforce_provisioning
trigger=Provisioner::check
enabled=Y
grace=0s
delay_by=2m
#
# 1400000 - 1499999 Reserved for local violations
#
#
# 2000000 - 2099999 Snort violations
#
[2000000]
desc=Malware
priority=4
template=malware
enabled=Y
actions=email,trap,log
# For conficker:
Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
trigger=Detect::2008802,Detect::2008803,Detect::2009024,Detect::2009114,Detect::2009200,Detect::2009201
auto_enable=N
whitelisted_categories=
[2000032]
desc=LSASS Exploit
priority=4
template=lsass
redirect_url=/proxies/tools/stinger.exe
enabled=Y
trigger=Detect::2000032,Detect::2000033,Detect::2000046,Detect::2001286,Detect::2001302,Detect::2001337
actions=email,trap
auto_enable=N
whitelisted_categories=
[2002030]
desc=IRC Trojan
priority=3
auto_enable=N
template=trojan
enabled=Y
trigger=Detect::2000345,Detect::2000347,Detect::2000348,Detect::2000349,Detect::2000350,Detect::2000351,Detect::2000352,Detect::2002029,Detect::2002030,Detect::2002031,Detect::2002032,Detect::2002033
actions=email,trap,log
whitelisted_categories=
# The following signatures replace the generic portscan detector. It was
notoriously noisy, expecially
# for BitTorrent clients. These new signatures look for most of the
"worm-like" scanning behaviors.
[2002201]
desc=Zotob (W32.Zotob and variants)
priority=4
template=zotob
enabled=Y
trigger=Detect::2002201,Detect::2002203
actions=email,trap,log
auto_enable=N
whitelisted_categories=
[2001904]
desc=Telnet Scan
priority=6
template=scanning
enabled=Y
auto_enable=N
trigger=Detect::2001904
actions=email,trap,log
whitelisted_categories=
[2001972]
desc=Remote Desktop Scan
priority=6
template=scanning
enabled=Y
auto_enable=N
trigger=Detect::2001972
actions=email,trap,log
whitelisted_categories=
[2001569]
desc=NetBIOS Scan
priority=6
template=scanning
enabled=Y
auto_enable=N
trigger=Detect::2001569,Detect::2001579,Detect::2001580,Detect::2001581,Detect::2001582,Detect::2001583
actions=email,trap,log
whitelisted_categories=
# The following are peer-to-peer (P2P) signatures. They can be exceedingly
loud, but seem fairly accurate in our experience.
# Since P2P is not considered illicit on all networks, they are all shipped
disabled - set disable=N to enable.
[2000334]
desc=P2P (BitTorrent)
priority=1
template=p2p
enabled=Y
max_enable=1
trigger=Detect::2000015,Detect::2000330,Detect::2000332,Detect::2000333,Detect::2000334,Detect::2000335,Detect::2000340,Detect::2000357,Detect::2000369,Detect::2001035,Detect::2001036,Detect::2001037,Detect::2001059,Detect::2001187,Detect::2001188,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001652,Detect::2001664,Detect::2001796,Detect::2001808,Detect::2001809,Detect::2002673,Detect::2002760,Detect::2002761,Detect::2002814,Detect::2002950,Detect::2002951,Detect::2002952,Detect::2002953,Detect::2003308,Detect::2003309,Detect::2003310,Detect::2003311,Detect::2003312,Detect::2003314,Detect::2003315,Detect::2003316,Detect::2003318,Detect::2003319,Detect::2003321,Detect::2003322,Detect::2003323,Detect::2003324,Detect::2003437,Detect::2003475,Detect::2006371,Detect::2006372,Detect::2006375,Detect::2006379,Detect::2007727,Detect::2007799,Detect::2007800,Detect::2007801,Detect::2008113,Detect::2008115,Detect::2008364,Detect::2008581,Detect::2008582,Detect::2008583,Detect::2008584,Detect::2008585,Detect::2008591,Detect::2008595,Detect::2008611,Detect::2008625,Detect::2009097,Detect::2009098,Detect::2009099,Detect::2009205,Detect::2009206,Detect::2009207,Detect::2009208,Detect::2009966,Detect::2009967,Detect::2009968,Detect::2009969,Detect::2009970,Detect::2009972,Detect::2009973,Detect::2009986,Detect::2010008,Detect::2010139,Detect::2010140,Detect::2010141,Detect::2010142,Detect::2010143,Detect::2010144,Detect::2011232,Detect::2011699,Detect::2011700,Detect::2011701,Detect::2011702,Detect::2011703,Detect::2011704,Detect::2011705,Detect::2011706,Detect::2011707,Detect::2011710,Detect::2011711,Detect::2011712,Detect::2011713,Detect::2012247,Detect::2012390,Detect::2012467,Detect::2013739,Detect::2013740,Detect::2013869,Detect::2013911,Detect::2013912,Detect::2014459,Detect::2014734,Detect::2015966,Detect::2015967,Detect::2016662,Detect::2017462,Detect::2017726,Detect::2018012,Detect::2018413,Detect::2018464,Detect::2018517,Detect::2018532,Detect::2018666,Detect::2018667,Detect::2018894,Detect::2018971,Detect::2018981,Detect::2018982,Detect::2018983,Detect::2019103,Detect::2019830,Detect::2022371,Detect::2100556,Detect::2100557,Detect::2101432,Detect::2101699,Detect::2102180,Detect::2102181,Detect::2102584,Detect::2102586,Detect::2102587
actions=email,trap,log
auto_enable=N
whitelisted_categories=
vlan=isolation
[2001808]
desc=P2P (Limewire)
priority=8
template=p2p
enabled=Y
max_enable=1
trigger=Detect::2001808
actions=email,trap,log
auto_enable=N
whitelisted_categories=
[2000330]
desc=P2P (eDonkey)
priority=8
template=p2p
enabled=Y
max_enable=1
trigger=Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001300,Detect::2001305
actions=email,trap,log
auto_enable=N
whitelisted_categories=
[2001664]
desc=P2P (Gnutella)
priority=8
template=p2p
enabled=Y
max_enable=1
trigger=Detect::2001664,Detect::2002760,Detect::2002761
actions=email,trap,log
auto_enable=N
whitelisted_categories=
[2001812]
desc=P2P (Kazaa)
priority=1
template=p2p
enabled=Y
max_enable=1
trigger=Detect::2001796,Detect::2001812
actions=email,trap,log
auto_enable=N
whitelisted_categories=
#
# 3000000 - 3099999 Device bans
#
[3000001]
desc=Block all mobile devices
template=banned_devices
actions=email,log,trap
enabled=N
priority=10
trigger=DEVICE::11
[3000002]
desc=Block Apple iPod, iPhone or iPad
template=banned_devices
actions=trap,email,log
enabled=N
priority=10
trigger=DEVICE::193
[3000003]
desc=Block BlackBerries
template=banned_devices
actions=trap,email,log
enabled=N
priority=10
trigger=DEVICE::192
[3000004]
desc=Block PS3 and PSP
template=banned_devices
actions=trap,email,log
enabled=N
priority=10
trigger=DEVICE::274
[3000005]
desc=Block Slingbox
template=banned_devices
actions=trap,email,log
enabled=N
priority=10
trigger=DEVICE::143
Thanks,
Joshua Nathan
Level 3 IT Support and Development
Black Forest Academy
+49 (0) 7626-9161-630
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
